Microsoft blocking XLL add-ins to combat malware attacks.
Microsoft announced on Friday that it will begin blocking XLL add-ins from the internet in an effort to combat the growing number of malware attacks in recent months. XLL add-ins are Excel-based and are being exploited by bad actors to send phishing lures with malicious malware payloads. Dave Storie, adversarial collaboration engineer at LARES Consulting, explained that the Microsoft Office Suite is an attractive target for adversaries due to its ubiquity. This has led to the recent rise in malicious Microsoft add-ins as a result of the hardening of macros implemented by Microsoft in the Office Suite last year.
Mike Parkin, senior technical engineer at Vulcan Cyber, noted that malicious actors will always find creative ways to abuse otherwise useful tools. The level of abuse has reached a point where Microsoft has included additional functionality to try and prevent attackers from abusing the XLL feature. It is unclear at this point what type of restrictions Microsoft will implement, such as a warning or disabling XLL files from the internet.
Microsoft’s new blocking of XLL add-ins from the internet is an important step in protecting users from malicious actors. The hardening of macros implemented by Microsoft in the Office Suite last year, combined with the new blocking of XLL add-ins, will help to reduce the attack surface and increase the effort required to execute an attack on the Office Suite. This will help to protect the ubiquity of the Microsoft Office Suite, while also preventing malicious actors from easily exploiting its features.
While Microsoft’s new blocking of XLL add-ins is a welcome step, it is important to note that malicious actors will always find new ways to exploit the Office Suite. As such, it is important for users to remain vigilant and take steps to protect their systems, such as keeping their software up-to-date, using anti-virus solutions, and avoiding suspicious links and downloads. It is also important for organizations to ensure their security measures are up-to-date and to train their employees on how to recognize and respond to potential threats.